Tens of thousands of people have downloaded what they believed were useful AI tools for their browsers, only to give hackers a direct path into their most private online activity, including emails.
According to LayerX, over 260,000 Chrome users installed at least 30 malicious browser extensions masquerading as AI helpers. These claimed features, like chat support, email drafting, and content summaries, but in reality, they were quietly siphoning data in the background.
Trusted AI names used as cover
The timing was not random. With people eagerly adopting AI tools for both work and personal use, attackers seized on that excitement to slip in under the radar. The bogus extensions claimed ties to familiar AI services such as ChatGPT, Claude, Gemini, and Grok, brands that inspire instant recognition and confidence.
Although they went by different names, displayed varied logos, and carried distinct descriptions, all 30 extensions were fundamentally identical beneath the surface. They ran the same underlying code, requested the same broad permissions, and funneled data to the same concealed servers.
LayerX researchers described the approach as “extension spraying”, flooding the store with near-identical variants to evade detection and removal by Chrome Web Store moderators. The strategy paid off: several even earned “featured” placement, boosting their apparent legitimacy and helping rack up more installations.
What made these extensions particularly insidious was their method of operation. Instead of performing any genuine AI processing locally on the user’s device, they pulled in hidden full-screen overlays hosted on attacker-controlled servers, one confirmed domain being tapnetic.pro.
This setup allowed the operators to alter the extension’s behavior on the fly, without ever submitting updates through Google’s review process. Users had no way to spot the shifts.
Once active, the extensions could extract text, page titles, and other elements from any site a person visited, including protected pages that required logins, such as workplace portals or personal accounts, and relay everything to remote servers.
Gmail users in the crosshairs
Fifteen of the 30 extensions zeroed in on Gmail users specifically. LayerX dubbed this group the “Gmail integration cluster.” Marketed under separate names and pitched for different uses, all 15 shared the exact same code targeting Gmail. It injected scripts directly into Gmail’s interface, repeatedly grabbing the text of any open conversations visible on screen.
In simpler terms, full email content, including drafts and entire threads, could be pulled from Gmail and shipped off to the attackers’ servers. The report added that using Gmail’s built-in AI tools, such as smart replies or message summaries, sometimes triggered even greater capture of content, sending it beyond Google’s ecosystem.
This fits into a broader and worsening pattern. LayerX pointed out that only a month prior, they exposed 16 other extensions designed to steal session tokens from ChatGPT accounts, impacting over 900,000 users. In another case, two AI sidebar extensions leaked chat histories from DeepSeek and ChatGPT, affecting an additional 900,000 installs.
With Chrome boasting roughly 3 billion users globally and Gmail serving 2 billion, the browser’s extension ecosystem makes an especially tempting target for this kind of operation.
Anyone who is worried they’ve been hit can check LayerX’s published list of the malicious extensions. Simply head to “chrome://extensions” in your browser to inspect installed items and uninstall anything questionable. Enabling two-step verification on accounts is another smart step right now.
Zargarov delivered a blunt caution: “As generative AI continues to gain popularity, defenders should expect similar campaigns to proliferate.” Security professionals emphasize that the safest route is relying on AI features already integrated into trusted apps and platforms, rather than rolling the dice on unfamiliar third-party extensions.
